CWE-611
Improper Restriction of XML External Entity Reference
Description
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-221
CVEs mapped to this weakness (684)
page 10 of 35| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6670 | Hig | 0.50 | 7.6 | 0.01 | Jun 7, 2018 | External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter. | ||
| CVE-2018-10613 | Hig | 0.50 | 7.5 | 0.18 | Jun 4, 2018 | Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior. | ||
| CVE-2017-11272 | Hig | 0.50 | 7.5 | 0.13 | Aug 11, 2017 | Adobe Digital Editions 4.5.4 and earlier has a security bypass vulnerability. | ||
| CVE-2014-0225 | Hig | 0.50 | 8.8 | 0.02 | May 25, 2017 | When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. | ||
| CVE-2016-7459 | Hig | 0.50 | 7.7 | 0.02 | Dec 29, 2016 | VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity… | ||
| CVE-2016-5851 | Hig | 0.50 | 8.8 | 0.02 | Dec 21, 2016 | python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. | ||
| CVE-2023-42346 | — | Hig | 0.49 | 7.5 | 0.00 | May 8, 2026 | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | |
| CVE-2024-13971 | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | ||
| CVE-2024-39847 | — | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | |
| CVE-2024-2374 | — | Hig | 0.49 | 7.5 | 0.00 | Apr 16, 2026 | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of… | |
| CVE-2026-29924 | Hig | 0.49 | 7.6 | 0.00 | Mar 30, 2026 | Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin. | ||
| CVE-2025-44044 | Hig | 0.49 | 7.5 | 0.00 | Jun 10, 2025 | Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system. | ||
| CVE-2024-52807 | — | Hig | 0.49 | 8.6 | 0.01 | Jan 24, 2025 | The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]>` could produce… | |
| CVE-2024-55887 | Hig | 0.49 | 8.6 | 0.01 | Dec 13, 2024 | Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host… | ||
| CVE-2024-52007 | Hig | 0.49 | 8.6 | 0.01 | Nov 8, 2024 | HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example… | ||
| CVE-2024-45294 | Hig | 0.49 | 8.6 | 0.01 | Sep 6, 2024 | The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are… | ||
| CVE-2024-45490 | Hig | 0.49 | 7.5 | 0.02 | Aug 30, 2024 | An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. | ||
| CVE-2018-11796 | Hig | 0.49 | 7.5 | 0.07 | Oct 9, 2018 | In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity… | ||
| CVE-2018-16303 | Hig | 0.49 | 7.5 | 0.02 | Sep 1, 2018 | PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564. | ||
| CVE-2018-13823 | Hig | 0.49 | 7.5 | 0.02 | Aug 30, 2018 | An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information. |
- risk 0.50cvss 7.6epss 0.01
External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter.
- risk 0.50cvss 7.5epss 0.18
Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.
- risk 0.50cvss 7.5epss 0.13
Adobe Digital Editions 4.5.4 and earlier has a security bypass vulnerability.
- risk 0.50cvss 8.8epss 0.02
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
- risk 0.50cvss 7.7epss 0.02
VMware vCenter Server 5.5 before U3e and 6.0 before U2a allows remote authenticated users to read arbitrary files via a (1) Log Browser, (2) Distributed Switch setup, or (3) Content Library XML document containing an external entity declaration in conjunction with an entity…
- risk 0.50cvss 8.8epss 0.02
python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document.
- risk 0.49cvss 7.5epss 0.00
Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
- risk 0.49cvss 7.5epss 0.00
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of…
- risk 0.49cvss 7.6epss 0.00
Grav CMS v1.7.x and before is vulnerable to XML External Entity (XXE) through the SVG file upload functionality in the admin panel and File Manager plugin.
- risk 0.49cvss 7.5epss 0.00
Keyoti SearchUnit prior to 9.0.0. is vulnerable to XML External Entity (XXE). An attacker who can force a vulnerable SearchUnit host into parsing maliciously crafted XML and/or DTD files can exfiltrate some files from the underlying operating system.
- risk 0.49cvss 8.6epss 0.01
The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag `( ]>` could produce…
- risk 0.49cvss 8.6epss 0.01
Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host…
- risk 0.49cvss 8.6epss 0.01
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( <!DOCTYPE foo [<!ENTITY example…
- risk 0.49cvss 8.6epss 0.01
The HL7 FHIR Core Artifacts repository provides the java core object handling code, with utilities (including validator), for the Fast Healthcare Interoperability Resources (FHIR) specification. Prior to version 6.3.23, XSLT transforms performed by various components are…
- risk 0.49cvss 7.5epss 0.02
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
- risk 0.49cvss 7.5epss 0.07
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity…
- risk 0.49cvss 7.5epss 0.02
PDF-XChange Editor through 7.0.326.1 allows remote attackers to cause a denial of service (resource consumption) via a crafted x:xmpmeta structure, a related issue to CVE-2003-1564.
- risk 0.49cvss 7.5epss 0.02
An XML external entity vulnerability in the XOG functionality, in CA PPM 14.3 and below, 14.4, 15.1, 15.2 CP5 and below, and 15.3 CP2 and below, allows remote attackers to access sensitive information.